IT service providers and customers battle over data breaches

By Stephanie Overby , CIO |  IT Management, outsourcing

There is no shortage of contentious contractual issues when inking an IT outsourcing deal, but one in particular has both providers and customers taking a hard line today: liability for data breaches.

At one time, data security liability was a relatively straightforward issue. Generally speaking, an outsourcing customer always had the responsibility to secure its own data, but provisions were inserted into contracts allocating responsibility for the confidential information to which a service provider had access. At that time, outsourcers were willing to take on unlimited financial liability for a breach of confidential data.

"The service provider was on the hook," says Chris Ford, chair of the global sourcing group at the law firm Morrison & Foerster. For other data breaches, there may have been a limitation of liability, typically set at a year's worth of service provider revenue associated with the contract. There were few, if any, special terms or requirements around data security processes.

Then along came federal regulations like Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) along with a swarm of state laws creating new requirements for companies suffering a data breach, including customer notification and damage mitigation provisions, such as mandatory credit monitoring and fraud protection for affected customers.

IT service providers saw the price tag on unlimited liability skyrocket. Potential damages from a data breach vary widely by industry and scope. Forrester estimated that the cost ranged from $90 to $305 per data record in 2007, while last year the Ponemon Institute tagged it at $214 per compromised record. "If you have a large customer base," Ford explained, "the price to comply could be very large."

IBM Reshapes the Liability Paradigm

And so the lawyers got to work. The big U.S. providers like IBM Global Services, HP and Accenture began reexamining their risk profiles and moving aggressively to limit liability. "Providers, led by IBM, pushed back hard," said Shawn Helms, partner in the outsourcing practice of law firm K&L Gates. They began creating secondary caps for certain breach of confidentiality or data protection measures. Those with clients with gigantic customer bases in sectors such as retail, energy or financial services were the most concerned.


Originally published on CIO |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question
randomness